From wsffree at hotmail.com Mon May 12 06:39:03 2003 From: wsffree at hotmail.com (Wang Shaofu) Date: Mon, 12 May 2003 21:39:03 +0800 Subject: how to use list of STL in Bro? Message-ID: Hi all I add a variable to class SteppingStoneManager: + #include class SteppingStoneManager { public: SteppingStoneManager() { endp_cnt = 0; } PQueue(SteppingStoneEndpoint)& OrderedEndpoints() { return ordered_endps; } // Use postfix ++, since the first ID needs to be even. int NextID() { return endp_cnt++; } ++++ list Flow_list; protected: PQueue(SteppingStoneEndpoint) ordered_endps; int endp_cnt; }; And the code is compiled succesfuly.But in runtime.Bro meet an error: [@]# ./bro -i eth0 ssh-stepping.bro listening on eth0 Segmentation fault <----------------------------------here!!! The gdb report that the error is in malloc.c!!! What should I do to use list of STL in Bro??? Appriciate! Any help is wellcome! Have a nice day! Ciao Cloud _________________________________________________________________ ??????????????? MSN Hotmail? http://www.hotmail.com From vern at icir.org Mon May 12 23:24:34 2003 From: vern at icir.org (Vern Paxson) Date: Mon, 12 May 2003 23:24:34 -0700 Subject: how to use list of STL in Bro? In-Reply-To: Your message of Mon, 12 May 2003 21:39:03 +0800. Message-ID: <200305130624.h4D6OY0E052671@jaguar.icir.org> > I add a variable to class SteppingStoneManager: When you do this, you need to issue "make clean ; make" in order to recompile all the .o's that depend on the modified class. The rules in the Makefile do not reflect all of the .h dependencies. (This is deliberate - it is too much of a pain when doing development to have them.) Vern From lxg0601 at xanet.edu.cn Mon May 12 23:55:16 2003 From: lxg0601 at xanet.edu.cn (Xiaogang Liu) Date: Tue, 13 May 2003 14:55:16 +0800 Subject: how to use list of STL in Bro? In-Reply-To: Your message of Mon, 12 May 2003 21:39:03 +0800. Message-ID: <200305130624.h4D6OY0E052671@jaguar.icir.org> A non-text attachment was scrubbed... Name: not available Type: Size: 347 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20030513/2c6088a0/attachment.ksh From lxg0601 at xanet.edu.cn Tue May 13 00:32:41 2003 From: lxg0601 at xanet.edu.cn (Xiaogang Liu) Date: Tue, 13 May 2003 15:32:41 +0800 Subject: how to use list of STL in Bro? In-Reply-To: Your message of Mon, 12 May 2003 21:39:03 +0800. Message-ID: <200305130624.h4D6OY0E052671@jaguar.icir.org> A non-text attachment was scrubbed... Name: not available Type: Size: 351 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20030513/2c6088a0/attachment-0001.ksh From lxg0601 at xanet.edu.cn Tue May 13 01:07:54 2003 From: lxg0601 at xanet.edu.cn (Xiaogang Liu) Date: Tue, 13 May 2003 16:07:54 +0800 Subject: how to use list of STL in Bro? In-Reply-To: Your message of Mon, 12 May 2003 21:39:03 +0800. Message-ID: <200305130624.h4D6OY0E052671@jaguar.icir.org> A non-text attachment was scrubbed... Name: not available Type: Size: 355 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20030513/2c6088a0/attachment-0002.ksh From wsffree at hotmail.com Mon May 26 04:14:32 2003 From: wsffree at hotmail.com (Wang Shaofu) Date: Mon, 26 May 2003 19:14:32 +0800 Subject: about NLANR Message-ID: Hi I used the trace file from NLANR to test Bro. But Bro does nothing but report bad checksum. Sessions.cc: Weird("bad_IP_checksum", hdr, pkt); return; TCP.cc: Weird("bad_TCP_checksum"); return; What should I do , to make trace file available to Bro? Thanks very much! Have a nice day! Ciao Cloud _________________________________________________________________ ???? MSN Explorer: http://explorer.msn.com/lccn/ From chnze at mail.wzptt.zj.cn Tue May 27 04:32:48 2003 From: chnze at mail.wzptt.zj.cn (chnze at mail.wzptt.zj.cn) Date: Tue, 27 May 2003 19:32:48 +0800 Subject: Supply electric appliances Message-ID: <200305271133.h4RBX6rV017650@postala.lbl.gov> From:Mr Sander Yuan, G.Manager Chnze Electric Equipment Co.ltd. No.17-505 Lumingyuan Lucheng Industrial zone Wenzhou China 325007 Fax:86-577-88776860 Tel:86-577-88776861 or 88776862 E-mail:qunze at mail.wzptt.zj.cn chnze at mail.wzptt.zj.cn http://www.chnze.com; http://www.electricbase.com Dear Sir, We are pleased to introduce ourselves as leading manufacturers and exporters in Electrical Items and Accessories. Our Products include: 1. Circuit breaker (MCB,ELCB,MCCB) 2. Ac contactor, Magnetic starter 3. Relays (Mini relay, time relay, thermal relay) 4. Meters(panel meter, water meter, watthour meters) 5. Fuses link and fuse base 6. Stablizer, UPS(uninterruptible power supply) 7. Energy saving lamps 8. Nylon cable tie, Cable clips,terminal block 9. Micro switch & Limit switch, pushbutton switch 10. Permanent micro DC motor 11. Electrical accessories Please kindly visit our website http://www.chnze.com for detail information on our range of products. You are requested to send us your inquiries for the same. Thanking You & Best Regards Sander Yuan/G.manager Chnze electric equipment co.ltd. ******************************************************** ?????????? ?????????? ????,?????????? ???????? ???? ????????: http://www.163sm.com/kt/ This mail was sent using FlyingDragon Mail Sender, But The contents is none business of FlyingDragon Software. FlyingDragon Software: http://www.163sm.com/kt/ ******************************************************** From scrosby at cs.rice.edu Thu May 29 13:42:24 2003 From: scrosby at cs.rice.edu (Scott A Crosby) Date: 29 May 2003 15:42:24 -0500 Subject: Devastating DoS attack on Bro via Algorithmic Complexity Attacks Message-ID: Hello. We have analyzed this software to determine its vulnerability to a new class of DoS attacks that related to a recent paper. ''Denial of Service via Algorithmic Complexity Attacks.'' This paper discusses a new class of denial of service attacks that work by exploiting the difference between average case performance and worst-case performance. In an adversarial environment, the data structures used by an application may be forced to experience their worst case performance. For instance, hash tables are usually thought of as being constant time operations, but with large numbers of collisions will degrade to a linked list and may lead to a 100-10,000 times performance degradation. Because of the widespread use of hash tables, the potential for attack is extremely widespread. Fortunately, in many cases, other limits on the system limit the impact of these attacks. To be attackable, an application must have a deterministic or predictable hash function and accept untrusted input. In general, for the attack to be signifigant, the applications must be willing and able to accept hundreds to tens of thousands of 'attack inputs'. Because of that requirement, it is difficult to judge the impact of these attack without knowing the source code extremely well, and knowing all ways in which a program is used. In my paper, I attacked bro-pub-0.8a20's port scanning detector. The result of this attack was a packet drop rate of 30-70% with an attack traffic of only 16kbits, and a complete overload in approximately 7 minutes. You may wish to consider replacing that hash function with universal hashing. For installations of Bro, this is a CRITICAL DoS vulnerability. The paper discusses the attack and results at length. The solution for these attacks on hash tables is to make the hash function unpredictable via a technique known as universal hashing. Universal hashing is a keyed hash function where, based on the key, one of a large set hash functions is chosen. When benchmarking, we observe that for short or medium length inputs, it is comparable in performance to simple predictable hash functions such as the ones in Python or Perl. Our paper has graphs and charts of our benchmarked performance. I highly advise using a universal hashing library, either our own or someone elses. As is historically seen, it is very easy to make silly mistakes when attempting to implement your own 'secure' algorithm. The abstract, paper, and a library implementing universal hashing is available at http://www.cs.rice.edu/~scrosby/hash/. Scott From vern at icir.org Thu May 29 13:47:38 2003 From: vern at icir.org (Vern Paxson) Date: Thu, 29 May 2003 13:47:38 -0700 Subject: Devastating DoS attack on Bro via Algorithmic Complexity Attacks In-Reply-To: Your message of 29 May 2003 15:42:24 CDT. Message-ID: <200305292047.h4TKlcXu071534@jaguar.icir.org> Ruoming Pang has already added such a hash function in response to your paper, it'll be included in an upcoming release. Vern